In October 2016, hackers stole names, email addresses, and phone numbers of 57 million Uber riders around the world, along with data on more than 7 million drivers, which included over 600,000 drivers' license records.
The breach was apparently caused after hackers compromised a private GitHub repository and harvested engineering credentials later used to access an Amazon Web Services (AWS) account and the information stored inside of it.
As if the breach wasn't problematic enough, it was later discovered that Uber paid the hackers $100,000 to delete the data, and then kept details of the breach quiet under the guise of the legitimate bug bounty program offered by Uber on the HackerOne bug bounty platform.
Uber took a lashing by the FTC, and was accused of purposely mislead consumers about its privacy practices. In its original FTC settlement, Uber agreed to disclose any future security incidents in a timely manner and submit to 20 years of periodic privacy audits.
Under the new terms, Uber is now required to submit every audit report of its privacy program to the FTC, as opposed to only submitting the initial audit report. The ride-hailing company must also retain certain records from its bug bounty programs regarding vulnerabilities and unauthorized access to consumer data.
Meanwhile, the revised settlement also threatens Uber with civil penalties if it fails to notify the FTC of future security breaches involving consumer information.
"After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company's strikingly similar 2014 breach," acting FTC chairman Maureen Ohlhausen said in a statement. "The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future."